[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cygwin-apps
Subject:    Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
From:       Yaakov Selkowitz <yselkowitz () cygwin ! com>
Date:       2017-03-24 19:02:47
Message-ID: 3ceff525-9c83-f23a-e55e-156e5c301600 () cygwin ! com
[Download RAW message or body]

On 2017-02-22 13:53, Yaakov Selkowitz wrote:
> On 2017-01-18 06:11, Dr. Volker Zell wrote:
>> On 12.01.2017 21:26, Yaakov Selkowitz wrote:
>>> On 2017-01-03 08:32, Dr. Volker Zell wrote:
>>>> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded
>>>> to a server near you.
>>>>
>>>>  o Build for cygwin 2.6.1 with gcc-5.4.0
>>>>  o Update to latest version before ABI bump
>>>
>>> Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit
>>> systems by changing the size of an existing member of a public struct
>>> (int to size_t), just that they neglected to bump the ABI version until
>>> afterwards:
>>>
>>> https://github.com/mdadams/jasper/issues/84
>>>
>>> For compatibility with packages currently linked with libjasper1, this
>>> needs to be reverted in part.  Here is what Fedora is currently shipping
>>> on stable branches:
>>>
>>> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25
>>
>> Is this the complete current patchset relative to jasper-1.900.1, you
>> want me to apply ?
>
> No, the details are in the .spec file.  In short, you want 1.900.13 plus
> the jasper-1.900.1-CVE-2008-3520.patch and
> jasper-1.900.13-CVE-2016-9583.patch patches.

There are now additionally jasper-1.900.13-CVE-2016-9262.patch and 
jasper-1.900.13-CVE-2016-8654.patch.

> Once that's uploaded, then let's proceed with an upgrade to 2.0.10,
> which already has all the fixes along with the ABI version change.

That's 2.0.12 now.

-- 
Yaakov
[prev in list] [next in list] [prev in thread] [next in thread]